~ perhaps it would put pressure on the admins to put more effort into account recoveries.

As an extra protection against any possible social engineering attacks, whenever^* the administration changes an account's email address from its current value, the following process occurs:
 - The change is queued.
 - It is listed in seclog.php.
 - The old email receives a warning.
 - After 7 days, the change goes through and another seclog.php entry is added.

The account stays locked throughout all of this.

This is a component of a comprehensive new set of recovery procedures which will be fully rolled out in the very near future (before the end of the year). This will allow recoveries to move forward at a reasonable pace again.